Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

avb_verify: Remove KVDB related verfications #7

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

avb_verify: Remove KVDB related verfications #7

wants to merge 1 commit into from

Conversation

JianyuWang0623
Copy link
Member

WARNING: Has NOT committed to gerrit yet

Summary

It`s unsafe to store values to KVDB.

  1. The options "-c" was removed, please use "-U"(upgrade verfication) instead.

    Comparing rollback index to prevent duplicate installation

  2. The parameters of INTERNAL used function avb_verify was updated:

    -int avb_verify(const char* partition, const char* key, const char* suffix, AvbSlotVerifyFlags flags)
    +int avb_verify(struct avb_params_t* params)

Impact

frameworks/system/ota/verify/avb_verify

Testing

    dd if=/dev/random of=1MB_1.1 bs=1MB count=1
    ../tools/avb_sign.sh 1MB_1.1 0 -P $(pwd)/1MB -o --dynamic_partition_size -o "--rollback_index_location 1" -o "--rollback_index 1"

    dd if=/dev/random of=1MB_1.2 bs=1MB count=1
    ../tools/avb_sign.sh 1MB_1.2 0 -P $(pwd)/1MB -o --dynamic_partition_size -o "--rollback_index_location 1" -o "--rollback_index 2"

    ./avb_verify -I 1MB_1.1
    ./avb_verify -I 1MB_1.2

    ./avb_verify -U 1MB_1.2 1MB_1.1 ../tools/keys/key.avb && echo PASSED || echo FAILED
    ./avb_verify -U 1MB_1.2 1MB_1.2 ../tools/keys/key.avb && echo PASSED || echo FAILED
    ./avb_verify -U 1MB_1.1 1MB_1.2 ../tools/keys/key.avb && echo FAILED || echo PASSED

    rm -v 1MB_1.1 1MB_1.2

Result

$     ./avb_verify -U 1MB_1.2 1MB_1.1 ../tools/keys/key.avb && echo PASSED || echo FAILED
PASSED
$     ./avb_verify -U 1MB_1.2 1MB_1.2 ../tools/keys/key.avb && echo PASSED || echo FAILED
PASSED
$     ./avb_verify -U 1MB_1.1 1MB_1.2 ../tools/keys/key.avb && echo FAILED || echo PASSED
avb_slot_verify.c:945: ERROR: 1MB_1.1: Image rollback index is less than the stored rollback index.
./avb_verify verify 1MB_1.1 error 4
PASSED

@JianyuWang0623
Copy link
Member Author

@Donny9 @gneworld Could you review this PR please?

xiaoxiang781216
xiaoxiang781216 reviewed Feb 13, 2025
View reviewed changes
@JianyuWang0623 JianyuWang0623 force-pushed the br_wjy_system_ota_avb_rm_kvdb_related_250212_openvela branch 2 times, most recently from 3435088 to 03af071 Compare February 13, 2025 04:31
@JianyuWang0623
avb_verify: Remove KVDB related verfications
c774428 
It`s unsafe to store values to KVDB.

1. The options "-c" was removed, please use "-U"(upgrade verfication) instead.

    Comparing rollback index to prevent duplicate installation

2. The parameters of INTERNAL used function `avb_verify` was updated:

    -int avb_verify(const char* partition, const char* key, const char* suffix, AvbSlotVerifyFlags flags)
    +int avb_verify(struct avb_params_t* params)

Test

    dd if=/dev/random of=1MB_1.1 bs=1MB count=1
    ../tools/avb_sign.sh 1MB_1.1 0 -P $(pwd)/1MB -o --dynamic_partition_size -o "--rollback_index_location 1" -o "--rollback_index 1"

    dd if=/dev/random of=1MB_1.2 bs=1MB count=1
    ../tools/avb_sign.sh 1MB_1.2 0 -P $(pwd)/1MB -o --dynamic_partition_size -o "--rollback_index_location 1" -o "--rollback_index 2"

    ./avb_verify -I 1MB_1.1
    ./avb_verify -I 1MB_1.2

    ./avb_verify -U 1MB_1.2 1MB_1.1 ../tools/keys/key.avb && echo PASSED || echo FAILED
    ./avb_verify -U 1MB_1.2 1MB_1.2 ../tools/keys/key.avb && echo PASSED || echo FAILED
    ./avb_verify -U 1MB_1.1 1MB_1.2 ../tools/keys/key.avb && echo FAILED || echo PASSED

    rm -v 1MB_1.1 1MB_1.2

Signed-off-by: wangjianyu3 <[email protected]>
@JianyuWang0623 JianyuWang0623 force-pushed the br_wjy_system_ota_avb_rm_kvdb_related_250212_openvela branch from 03af071 to c774428 Compare February 13, 2025 04:34
@xiaoxiang781216
Copy link
Contributor

@JianyuWang0623 ci fail.

@JianyuWang0623
Copy link
Member Author

@JianyuWang0623 ci fail.

"Parse PR Description for Dependencies" failed,
@zhangning21 @liujinye-sys Could you take a look please?

@openvela-robot
Copy link
Contributor

@JianyuWang0623 ci fail.

"Parse PR Description for Dependencies" failed, @zhangning21 @liujinye-sys Could you take a look please?

The inclusion of '$' in the body caused a parsing exception, which has been fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 approved these changes

@GUIDINGLI GUIDINGLI Awaiting requested review from GUIDINGLI GUIDINGLI is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JianyuWang0623 @xiaoxiang781216 @openvela-robot